Contact Us

Services

SSAE 18 Attestations

For decades, MBAF has been assisting clients with all of their assurance reporting requirements including expert guidance and attestation services for service organizations.

Companies (service organizations) that provide services to other companies (user entities) are often asked to provide proof that their internal controls are working effectively so that their clients’ auditors and regulators can obtain annual assurance. Today, the preferred assurance mechanism to efficiently handle these audit requests is more than likely a SOC (Service Organization Controls) report. There are presently three SOC reports: SOC 1, SOC 2, and SOC 3.

The professional standards used to assess the internal controls or trust principles of a service organization and issue a service auditor’s report are issued by the AICPA. Examples of service organizations are employee benefits plans, payroll processors, insurance and medical claims processors, trust companies, hosted data centers, cloud service providers, managed security providers, credit card processing organizations and clearinghouses. The correct SOC report is determined by the user entity’s requirements and the impact of service organization’s controls. Our team can help you determine which report is right for your service organization.

At MBAF, our advisors have extensive SOC experience serving large companies familiar with audit processes and smaller companies without prior audit or SSAE 18 (formerly SAS 70) attestation experience. We understand the significant changes and responsibilities placed upon service organizations with the new SSAE 18 standards. Our Attestation Services Group combines the experience and expertise of certified public accountants and certified information systems auditors with active knowledge of accounting, audit, and internal controls.

We will help you navigate the complexities of SSAE 18 attestation, so you can focus on serving your customers and growing your business.

SOC Readiness Assessments

Our SOC Readiness Assessment assists service organizations determine their readiness to undergo a successful SOC 1, SOC 2, or SOC 3 Attestation engagement. We help clients determine the appropriate report, scope, and criteria. This determines the scope of the control objectives and helps us review the related controls and procedure to ascertain the adequacy of these controls and whether they address all of the major aspects of the control environment that may be relevant to the specific type of report.

SOC 1 Report

Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

This meets the needs of user entities’ managements and auditors as they evaluate the effect of a service organization’s controls on a user entity’s financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of compliance with laws and regulations and for when user entity auditors plan and perform financial statement audits.

SOC 2 Report

Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)

For those who need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality or privacy. These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. Stakeholders who may use these reports include management or those charged with governance of the user entities and of the service organization, customers, regulators, business partners and suppliers, among others.

SOC 3 Report

Trust Services Principles, Criteria, and Illustrations

Designed to accommodate users who want assurance on a service organization’s controls related to security, availability, processing integrity, confidentiality or privacy but do not have the need for the detailed and comprehensive SOC 2 Report. It can be used in a service organization’s marketing efforts.

Which SOC Report is right for you?

Will report be used by your customers and their auditors to plan/perform an audit of their financial statements?

Yes

SOC 1 Report

Will report be used by customers/stakeholders to gain confidence and place trust in a service organization’s system?

Our approach

Our approach to completing a SOC engagement has been developed and fine-tuned through decades of professional practice to minimize the impact on your resources and increase the effectiveness of your engagement. Our approach includes:

Perform risk assessment

Evaluate the accuracy of the description of the system

Assess factors that may cause the control objectives to fail

Assess management’s assertions for ensuring that the controls are operating effectively

Assess the availability of evidence that the controls are operating effectively

MBAF Certified Public Accountants LLP trading as MBAF Certified Public Accounts, LLP is a member of the global network of Baker Tilly International ltd., the members of which are separate and independent legal entities.

Latest Advisories

The Tax Cuts and Jobs Act, (The Act), has brought with it many changes that impact all taxpayers. One of the provisions of The Act that may impact many Americans is the new legislation that repealed the alimony deduction after 12/31/2018. Most people ...

Patient investors generally have prospered over the long term. Nevertheless, there are many reasons for selling stocks. Knowing the basics can help improve your tax position. Selling shares held in a taxable account will trigger taxable capital gains ...

It is now the middle of February, 2019 and we have already been exposed to a great many tax returns that are subject to the new IRS Partnership audit rules, which became effective on January 1, 2018. Unfortunately, we have seen very few Partnerships ...